Anti-pirate method for the distribution of digital content by pro-active diversified transmission, associated transmitting device and portable receiving object

ABSTRACT

The invention concerns an anti-pirate method for the distribution of digital content by pro-active diversified transmission, associated transmitter device and portable receiving object. The method, designed to make the same information (K c ) available to several receivers ( 1 ) belonging to a group (G) of receivers, each receiver storing information (SA i ) specific to it, is characterized in that it includes the following steps: define a relation K c =f(K, b i , SA i ) where (f) is a given function, (K) is information common to all the receivers, and (b i ) is information different for each receiver and for each value of the information (K); —enable each receiver to access information (b i ) before making (K c ) available; and transmit the information (K) to all receivers, just before making (K c ) available; so that each receiver can calculate information (K c ) using said relation.

BACKGROUND AND SUMMARY OF THE INVENTION

Numerous pay-TV channels currently fall victim to fraud. In particular,pirate cards are frequently used to view their channels. This inventionproposes a new system for transmission of image decryption keys (or ofthe image itself) which offers numerous advantages: the system isrelatively simple to implement and can react quickly if pirate cardsshould appear (flexibility).

If a pirate card is obtained, it is possible to find out from theexterior (i.e. just by observing its operation) what secrets it holds,which may possibly be used to find out from which real card it obtainedthese secrets, but especially to quickly disable all the pirate cardswithout disabling the legitimate cards. This is known as traitor tracingand in particular black box (traitor) tracing. Note that the inventionproposed is extremely efficient and secure compared with the othersystems proposed in the cryptographic literature (see references). Notealso that this invention is not limited to television: the method canalso be used whenever the same content must be transmitted to severalauthorised receivers.

The new method is characterised by very reasonable rates which arecompatible with the speed limitations imposed by the communicationchannels. In addition, it stands out from other methods due to the veryshort length of the data K which is transmitted in real time in order toaccess the protected content: this length can be as short as just 64bits.

The invention therefore concerns a method to make the same information(K_(c)) available to several receivers belonging to a group (G) ofreceivers, each receiver storing information (SA_(i)) specific to it,characterised in that it comprises the following steps:

-   -   define a relation K_(c)=f(K, b_(i), SA_(i)) where (f) is a given        function, (K) is information common to all the receivers, and        (b_(i)) is information different for each receiver and for each        value of the information (K);    -   enable each receiver to access information (b_(i)) before making        (K_(c)) available; and    -   transmit the information (K) to all receivers, just before        making (K_(c)) available;    -   so that each receiver can calculate information (K_(c)) using        said relation.        Advantageously, the function (f) is such that knowing a (b_(i))        and a (SA_(i)), no algorithm is known which could be used to        obtain the information (K_(c)) in a realistic time and with non        negligible probability, when the information (K) is not known.        Advantageously, function f is such that, knowing a certain        number of (b₁ . . . b_(n)) for a certain subgroup (G′) of        receivers, no algorithm is known which could be used, before        knowing the current K, in a realistic time and with a non        negligible probability, to produce a valid pair (b_(i), SA_(i))        with a legitimate (SA_(i)), i not being one of the receivers 1 .        . . n of (G′).

Advantageously, the function f has the format:f(K,b _(i) ,SA _(i))=b _(i) ⊕E _(K)(SA _(i))where E_(K) is a function depending on information (K) and where ⊕designates a group law.Advantageously, function (E_(K)) is a cryptographic encryption functionand (K) a secret key used by this function.Advantageously, the values (b_(i)) are sent encrypted with a key (K_(i))specific to each receiver of a certain group (G) of receivers.Advantageously, each value (SA_(i)) is a secret value known by thereceiver of index i.Advantageously, each (b_(i)) consists of two values b_(1i) and b_(2j)and equally the information specific to each receiver consists of twovalues SA_(i) et SA_(j), such that each receiver, identified by the pairof indices (i,j), combines the corresponding values b_(1i) and b_(2j)with the values SA_(i) and SA_(j) to calculate values K_(c1) and K_(c2)using said relation, which are in turn combined to access theinformation K_(C).Advantageously, the information K_(c) is a key used to decrypt a digitalcontent such as a television image.Advantageously, the information K_(c) can be used for several minutes bythe receivers, the information K is sent several seconds in advance andthe values b_(i) are sent regularly, starting several days in advance.Advantageously, certain receivers find at least some of their valuesb_(i) in a list of values prestored in the receivers.The invention also concerns a portable receiver object belonging to agroup (G) of portable objects and comprising information processingmeans and information storage means, the storage means storinginformation (SA_(i)) which is specific to the portable object and agiven function (f), characterised in that it comprises:

means to obtain access to information (b_(i)) different for eachportable object of the group (G) and for each value of the information(K); and

means to calculate information (K_(c)) using a relation K_(c)=f(K,b_(i), SA_(i)) where K is information common to all the portable objectsand transmitted to them.

Lastly, the invention concerns a transmitter device to make the sameinformation (K_(c)) available to several receivers belonging to a group(G) of receivers, each receiver storing information (SA_(j)) specific toit, characterised in that it comprises:

-   -   calculation means designed to calculate information (b_(i))        using a relation K_(c)=f(K, b_(i), SA_(i)) where (f) is a given        function, (K) is information common to all the receivers and        information (b_(i)) is information different for each receiver        and for each value of the information (K); and    -   transmission means designed to transmit to each receiver, a        certain time before making (K_(c)) available, the information        (b_(i)) associated with it, and to transmit information (K) to        all the receivers, just before making (K_(c)) available.

BRIEF DESCRIPTION OF THE DRAWINGS

Other details and advantages of this invention will appear during thefollowing description of a preferred but non-limiting method ofexecution, and referring to the attached drawings in which:

FIG. 1 represents a receiver as a smartcard type portable object; and

FIG. 2 represents an associated transmitter device.

1 EXAMPLE OF SYSTEM 1.1 Description

We will consider a system for the distribution of the same informationto numerous valid receivers. For example, a pay-TV system. Let K_(c)represent the information decryption key. This key has, for example, alifetime of 10 minutes and may require between 64 and 128 bits. We willdescribe a method which enables the receivers to recalculate the newvalue of K_(c) every 10 minutes. Note that here, all the receivers willcalculate the same value of K_(c), although they will all have differentsecrets.

We will consider a receiver and call it “receiver of index i”. Thisreceiver has, here, at least two values specific to it: an encryptionkey K_(i), and a secret value SA_(i).

The organisation responsible for transmission will generate a secret keyK, then calculate, for every index i, the following value:b _(i) =K _(c) ⊕E _(K)(SA _(i)),where E designates an encryption function, or more generally a one-wayfunction, using a key K, and where ⊕ designates a group law (for examplebit by bit XOR, or addition modulo 256), and it will transmit all thesevalues b_(i), encrypted respectively with a key K_(i). For example, itwill regularly transmit all values b_(i) several days in advance.Consequently, a receiver which will be in reception mode will be able,several days in advance, to decrypt the value b_(i) (using its keyK_(i)).Then, just a few seconds before the key K_(c) becomes useful, thetransmitter will send the secret key K to all the receivers. This keycan be very short, for example 64 bits. They will now be able tocalculate K_(c) by calculating y=E_(K)(SA_(i)), then K_(c)=b_(i)⊕y⁻¹ (ifthe group operation is bit by bit XOR, then y⁻¹=y).Note that the “time” factor plays a very important role here: beforetransmitting K, none of the receivers can calculate the value of K_(c),and they all have in memory different values b_(i) and SA_(i). Then, assoon as K has been transmitted, they will all, using this sole value Kand their different values SA_(i) and b_(i), be able to recalculate thesame value K_(c).Remember that a one-way function is one which can be calculated in onedirection with no particular information, but which cannot be calculatedin the inverse direction, except possibly if certain parameters areknown. It is in particular a hashing function such as MD5 or SHA.

1.2 “Black Box Traitor Tracing”, or how to React if Pirate Cards shouldAppear

If pirate cards should appear, it is possible to react: firstly bydetecting the secret(s) held in the card (see below), secondly bydisabling all cards which have this (these) same secret(s) (see below).This can be done without changing the other cards in circulation, whichwill continue to operate.

1.3 Detection of Secret(s)

Firstly, assume that the secrets of a single true receiver are held in apirate card. The valid cards will be separated into two groups withapproximately the same number of elements: A and B. The true valuesb_(i) for A and false values b_(i) for B are then transmitted to thepirate card to find out whether it can still decrypt the imagescorrectly. If yes, its secret belongs to A, otherwise it belongs to B.Then start again with two new subgroups. If there are approximately2^(n) possible indices i, it will take approximately n attempts to findthe index in question.Note that it is not necessary to read the secrets held in the card: itis sufficient to observe its operation. If several secrets are presenton the same card, the method indicated can be used to detect a 1^(st)secret. The transmission of values b_(i) corresponding to this secret isthen stopped, and a 2^(nd) secret is detected, etc. It is also possiblethat the pirate card could hold the secrets of several true receivers,using the secrets in a complex manner: detection then becomes moredifficult, but still generally possible as long as there are not toomany secrets held in the pirate card.1.3.1 Disabling Cards with this(these) Secret(s)Simply stop transmitting the values b_(i) corresponding to thesesecrets.

2 GENERAL BASIC SETUP

A broad summary of the basic principle at the centre of the inventionwill be given, and more general improvements, variants and versionsderived from it will be described in the following chapters.

Let G be a group of legitimate receivers. The objective is to transmitto them (and only them) a content K_(c), consisting of all types ofinformation (data, program, cryptographic key, etc.), especially adigital content. The content K_(c) may in particular be a key to accessa pay-TV program. The content K_(c) is identical for all the receiversand, typically, it will change very rapidly to avoid fraudulentredistribution.The basic principle of the invention is to transmit K_(c) to alllegitimate receivers via another key K sent in cleartext, so that eachreceiver has a means of calculating K_(c) using K, which is completelydifferent from that used by the other receivers.Generally, this means will be a value b_(i), transmitted well inadvance, which it finds in its memory. Just before K_(c) must be madeavailable to the receivers, a unique value K is transmitted to all thereceivers in the group G, so that each receiver can calculate K_(c)using a function f which it has and which takes as input K, b_(i), and avalue SA_(i) specific to it. For every index i in the group ofreceivers, we therefore have:K _(c) =f(K,b _(i) ,SA _(i)).The time when K must be transmitted to the receivers will have to bedetermined according to circumstances, to ensure that a defrauder cannotrecalculate K_(c) or at least use it fraudulently, in the time betweentransmission of K and the time when K_(c) is made available. Generally,K will be transmitted a few seconds or a few minutes before K_(c) ismade available.2.1 Variants of the Basic SetupVariant 1For certain applications, the values SA_(i) do not have to be secret:they can be public.Variant 2For certain applications, when the values SA_(i) are secret, the valuesb_(i) can be transmitted in cleartext to the receivers.Variant 3Function E, instead of being an encryption function, can be moregenerally a one-way function using a key K, for example a cryptographichashing function such as SHA-1.Variant 4—Prestorage of values b_(i)Rather than transmitting the values b_(i), they can be precalculated andprestored in the receiver, for example in flash memory, on the harddisk, CD-ROM or DVD. They can also be broadcast locally, for example viathe building cable or microwaves.

3 GENERALISED SETUP

The above setup with these variants can be duplicated or replicated,which offers considerable improvements in terms of performance anddetection of gangs of defrauders. We will first describe a duplicatedversion then later explain the general principle which allows the systemto be used several times in parallel, and all the resulting benefits.

3.1 2^(nd) Example of System

In this case, each receiver has, instead of the value SA_(i) which wasspecific to it, two values SA_(i) et SA_(j), so that several receiverscan have the same SA_(i) or the same SA_(j), but not the same SA_(i) andthe same SA_(j) simultaneously. Each receiver is therefore characterisedby a pair of indices (i, j) specific to it.In addition, each receiver can have two encryption keys. K_(i) andK_(j), so that several receivers can have the same K_(i) or the sameK_(j), but not the same K_(i) and the same K_(j) simultaneously. Thekeys K_(i) can be used to transmit the values b_(i) to the receiverssecretly (except in the variant where the values b_(i) are public).The organisation responsible for the transmissions will generate twosecret values K_(c1) and K_(c2). They are then combined to access themain key K_(c) or to access the content directly. For example, we couldhave: K_(c)=K_(c1) # K_(c2), where # is a group law.It then generates a key K and calculates all the valuesb _(1i) =K _(c1) ⊕E _(K)(SA _(i))and b _(2j) =K _(c2) ⊕E _(K)(SA _(j))where E designates an encryption function or more generally a one-wayfunction, using the key K and where ⊕ designates a group law, and itwill then transmit all these values b_(1i) encrypted with key K_(1i) andall the values b_(2j) encrypted with K_(j). For example, it willregularly transmit all values b_(1i) and b_(2j) several days in advance.Consequently, a receiver which will be in reception mode will be able,several days in advance, to decrypt the value b_(1i) (using its keyK_(i)) and the value b_(2j) (using its key K_(j)).Then, just a few seconds before the key K_(c) becomes useful, thetransmitter will send the secret key K to all the receivers. They willnow be able to calculate K_(c) by calculating y=E_(K)(SA_(i)),z=E_(K)(SA_(j)), then K_(c1)=b_(1i)⊕y⁻¹, K_(c2)=b_(2j)⊕z⁻¹, then andfinally K_(c)=K_(c1) # K_(c2).The advantage of this 2^(nd) version is that fewer values b_(i) aretransmitted than with the 1^(st) version (since several receivers havethe same values b_(1i) or b_(2j)). Typically, it is possible to onlytransmit a number of b_(1i) and of b_(2j) approximately equal to thesquare root of the number of receivers.3.2 The Replicated Generalised Setup.Instead of duplicating the basic setup, it can more generally bereplicated. Each value b_(i) is therefore composed of one or morevalues: (b_(1i), b_(2j), b_(3k), . . . ) and each receiver ischaracterised by a list of indices (i, j, k, . . . ) and correspondingaddresses (SA_(i), SA_(j), SA_(k), . . . ). The receiver characterisedby the list (i, j, k, . . . ) uses the corresponding values (b_(1i),b_(2j), b_(3k), . . . ) with (SA_(i), SA_(j), SA_(k), . . . ) to decryptthe values K_(ci) (K_(c1), K_(c2), K_(c3), . . . ) which must becombined to calculate a key to access the content K_(C), or the contentitself.Each receiver will be identified by a list of indices, preferablyunique, of the form (i), (i,j) or (i, j, k, . . . ) used to identify it(or to identify a small group of suspect receivers). Equally, we couldsay that the receiver is characterised by its group of keys or addressesaccording to two possible interpretations, which is its group (SA_(i),SA_(j), SA_(k), . . . ). This setup can therefore be combined with anyother traitor tracing setup with known secret key, for example thatdescribed in the article Tracing Traitors, Crypto'94, by Benny Chor,Amos Fiat, and Moni Naor. In this case, the traditional traitor tracingprotocol must specify how to distribute secrets (SA_(i), SA_(j), SA_(k),. . . ) to receivers and how to calculate the main key K_(C) from thekeys K_(Ci). This must be carried out, depending on the setup used, sothat for a certain number C of receivers which share their keys to builda pirate decoder, it is still possible to identify one or all of thepirates, or at least deactivate all the pirate decoders without,preventing non-pirate legitimate receivers from accessing the content.According to the method of the invention, as already explained above,there are many ways of finding the keys held in a pirate card, withoutdisassembling the card, simply by observing its operation on atransmission in which only some of the values b_(i) are correct. Thisblack-box tracing property is kept in the generalisations of the basicsetup, and it is therefore possible to stop transmitting the value ofb_(i) corresponding to one or more secrets SA_(i) which are held in thepirate card. At the same time, a new value of SA_(i) may have to be sentto the legitimate receivers (in advance, and preferably encrypted with asecret key).3.3 Variants of the Generalised SetupAll the variants described in paragraph 2.1 for the basic setup can alsobe applied to the replicated setup described in section 3.In addition, there are other groups of variants specific to the generalduplicated or replicated setup:Variant group 1: these variants consist in using other ways ofdistributing secrets (SA_(i), SA_(j), SA_(k), . . . ) to receivers.Variant group 2: these variants consist in using other ways ofcalculating the main K_(C) from keys K_(Ci).Variant group 3: variants where key K used to calculate the variousvalues (b_(1i), b_(2j), b_(3k), . . . ) is not the same for all of thesevalues. For example, one key can be used for all values b_(1i) and adifferent one for the values b_(2j).Variant group 4: variants where the function f(K, b_(i), SA_(i)) usedfor the values b_(1i), b_(2j) etc. is not the same for all of thesevalues. For example, one function can be used for the values b_(1i) usedto calculate K_(c1), and a different function for the values b_(2j) usedto calculate K_(c2).Variant group 5: variants where the secret key K_(i) used to transmitthe values b_(1i) and the values b_(2j) is not the same for allreceivers which use the same i, or differs for the values b_(1i) and thevalues b_(2i).

DETAILED DESCRIPTION OF THE INVENTION

A brief description will now be given of the invention in itsimplementation using information processing devices. It concerns amethod to make the same information (Kc) available to several receiversbelonging to a group (G) of receivers, from a transmitter comprisinginformation processing means and information storage means, eachreceiver comprising information processing means and information storagemeans, the storage means of the receiver storing information (SAi)specific to it, characterised in that it comprises the following steps:

-   -   define, in the information storage means of each receiver, a        relation K_(c)=f(K, b_(i), SA_(i)) where (f) is a given        function, (K) is information common to all the receivers, and        (b_(i)) is information different for each receiver and for each        value of the information (K);    -   enable the processing means of each receiver to access        information (b_(i)), before making (K_(c)) available; and    -   transmit the information (K) to all the receivers using the        processing means of the transmitter, just before making (K_(c))        available; so that each receiver can calculate information        (K_(c)) using said relation, via its processing means.

FIG. 1 shows the general structure of a receiver 1 of type smartcard. Itcomprises information processing means or CPU 2, various types ofinformation storage means 3,4,5 (RAM, EEPROM, ROM), input/output means 6allowing the card to communicate with a card reader terminal, and a bus7 allowing these various parts to communicate together. The cardcommunicates with a remote transmitter device via the terminal (notshown).

FIG. 2 shows the general structure of a transmitter device 10. Itcomprises information processing means or processor 11, informationstorage means 12 which can be of various types (RAM, EEPROM, ROM),traditional input/output means 13 allowing the transmitter tocommunicate with the exterior, and a bus 14 allowing these various partsto communicate together. The transmitter also comprises transmissionmeans 15 especially designed to communicate according to the inventionwith all receivers with which it is associated. For a pay-TV system,these transmission means are designed to transmit images and at leastthe above-mentioned information K, especially through the use of radiowaves.

Although specific embodiments of the invention have been described andillustrated, the invention is not to be limited to the specific forms orarrangements of parts so descried and illustrated. The invention islimited only by the claims.

1. A method of operating a group (G) of receivers and transmitters tomake the same information (K_(c)) available to several receivers (1)belonging to the group (G) of receivers, each receiver i in the group(G) comprising a central processing unit (2) and information storagemeans (3, 4, 5), the storage means storing information (SA_(i)) specificto each receiver i, respectively, the method comprising: enabling eachreceiver to access information (b_(i)) before making (K_(c)) available;and transmitting a secret key (K) to all receivers, just before making(K_(c)) available; operating each receiver to calculate K_(c) from apre-defined relation K_(c)=(K, b_(i), SA_(i)) where (f) is a givenfunction, (K) is a secret key common to all the receivers, and (b_(i))is information different for each receiver and for each value of thesecret key (K).
 2. The method according to claim 1, wherein the function(f) is such that knowing a (b_(i)) and a (SA_(i)), no algorithm is knownwhich could be used to obtain the information (K_(c)) in a realistictime and with non negligible probability, when the secret key (K) is notknown.
 3. The method according to claim 1, wherein the function is suchthat, knowing a certain number of (b₁ . . . b_(n)) for a certainsubgroup (G′) of receivers, no algorithm is known which could be used,before knowing the current K, in a realistic time and with a nonnegligible probability, to produce a valid pair (b_(k), SA_(i)) with alegitimate (SA_(i)), i not being one of the receivers 1 . . . n of (G′).4. The method according to claim 1, wherein the function f has theformat: f(K, b_(i), SA_(i))=b_(i)⊕E_(K)(SA_(i)) where E_(K) is afunction depending on secret key (K) and where ⊕ designates a group law.5. The method according to claim 4, wherein the function (E_(K)) is acryptographic encryption function and (K) a secret key used by thisfunction.
 6. The method according to claim 1, wherein the values (b_(i))are sent encrypted with a key (K_(i)) specific to each receiver of acertain group (G) of receivers.
 7. The method according to claim 1,wherein each value (SA_(i)) is a secret value known by the receiver ofindex i.
 8. The method according to claim 1, wherein each (b_(i))consists of two values b_(1i) and b_(2j) and equally the informationspecific to each receiver consists of two values SA_(i) et SA_(j), suchthat each receiver, identified by the pair of indices (i,j), combinesthe corresponding values b_(1i) and b_(2j) with the values SA_(i) andSA_(j) to calculate values K_(C) 1 and K_(C) 2 using said relation,which are in turn combined to access the information K_(C).
 9. Themethod according to claim 1, wherein the information K_(C) is a key usedto decrypt a digital content.
 10. The method according to claim 1,wherein the K_(C) can be used for several minutes by the receivers, thesecret key K is sent several seconds in advance and the values b_(i) aresent regularly, starting several days in advance.
 11. The methodaccording to claim 1, wherein certain receivers find at least some oftheir values b_(i) in a list of values prestored in the receivers.
 12. Aportable receiver object (1) belonging to a group (G) of portableobjects and comprising information processing means (2) and informationstorage means (3, 4, 5), the storage means storing information (SA_(i))which is specific to the portable object and a given function (f),comprising: means to obtain access to information (b_(i)) different foreach portable object of the group (G) and for each value of the secretkey (K); and means to calculate information (K_(C)) using a relationK_(C)=f(K, b_(i), SA_(i)) where K is information common to all theportable objects and transmitted to them.
 13. A transmitter device (10)to make the same information (K_(C)) available to several receivers (1)belonging to a group (G) of receivers, each receiver storing information(SA_(i)) specific to it, comprising: calculation means (11) designed tocalculate information (b_(i)) using a relation K_(C)=f(K, b_(i), SA_(i))where (f) is a given function, (K) is information common to all thereceivers and information (b_(i)) is information different for eachreceiver and for each value of the secret key (K); and transmissionmeans (15) designed to transmit to each receiver, a certain time beforemaking (K_(C)) available, the information (b_(i)) associated with it,and to transmit secret key (K) to all the receivers, just before making(K_(C)) available.